Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-mf3v-f2qq-pf9g

Опубликовано: 14 мар. 2022
Источник: github
Github: Прошло ревью
CVSS3: 7.1

Описание

Insufficient Session Expiration in Sylius

Impact

The reset password token was not set to null after the password was changed. This is causing behaviour in which the same token can be used several times, so it can result in a leak of the existing token and an unauthorised password change.

Patches

The issue is fixed in versions: 1.10.11, 1.11.2 and above

Workarounds

You have to overwrite your Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler class using this code:

<?php declare(strict_types=1); namespace App\CommandHandler\Account; use Sylius\Bundle\ApiBundle\Command\Account\ResetPassword; use Sylius\Component\Core\Model\ShopUserInterface; use Sylius\Component\Resource\Metadata\MetadataInterface; use Sylius\Component\User\Repository\UserRepositoryInterface; use Sylius\Component\User\Security\PasswordUpdaterInterface; use Symfony\Component\Messenger\Handler\MessageHandlerInterface; use Webmozart\Assert\Assert; final class ResetPasswordHandler implements MessageHandlerInterface { private UserRepositoryInterface $userRepository; private MetadataInterface $metadata; private PasswordUpdaterInterface $passwordUpdater; public function __construct( UserRepositoryInterface $userRepository, MetadataInterface $metadata, PasswordUpdaterInterface $passwordUpdater ) { $this->userRepository = $userRepository; $this->metadata = $metadata; $this->passwordUpdater = $passwordUpdater; } public function __invoke(ResetPassword $command): void { /** @var ShopUserInterface|null $user */ $user = $this->userRepository->findOneBy(['passwordResetToken' => $command->resetPasswordToken]); Assert::notNull($user, 'No user found with reset token: ' . $command->resetPasswordToken); $resetting = $this->metadata->getParameter('resetting'); $lifetime = new \DateInterval($resetting['token']['ttl']); if (!$user->isPasswordRequestNonExpired($lifetime)) { throw new \InvalidArgumentException('Password reset token has expired'); } if ($command->resetPasswordToken !== $user->getPasswordResetToken()) { throw new \InvalidArgumentException('Password reset token does not match.'); } $user->setPlainPassword($command->newPassword); $this->passwordUpdater->updatePassword($user); $user->setPasswordResetToken(null); } }

And register it in container:

App\CommandHandler\Account\ResetPasswordHandler: arguments: - '@sylius.repository.shop_user' - !service class: Sylius\Component\Resource\Metadata\MetadataInterface factory: [ '@sylius.resource_registry', 'get' ] arguments: - 'sylius.shop_user' - '@sylius.security.password_updater' tags: - { name: messenger.message_handler, bus: sylius.command_bus } - { name: messenger.message_handler, bus: sylius_default.bus }

For more information

If you have any questions or comments about this advisory:

Ссылки

Пакеты

Наименование

sylius/sylius

composer
Затронутые версииВерсия исправления

>= 1.10.0, < 1.10.11

1.10.11

Наименование

sylius/sylius

composer
Затронутые версииВерсия исправления

>= 1.11.0, < 1.11.2

1.11.2

EPSS

Процентиль: 44%
0.00217
Низкий

7.1 High

CVSS3

CVE ID

CVE-2022-24743

Дефекты

CWE-613

Связанные уязвимости

nvd логотип

CVE-2022-24743

CVSS3: 7.1
nvd
почти 4 года назад

Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password change. The issue is fixed in versions 1.10.11 and 1.11.2. As a workaround, overwrite the `Sylius\Bundle\ApiBundle\CommandHandler\ResetPasswordHandler` class with code provided by the maintainers and register it in a container. More information about this workaround is available in the GitHub Security Advisory.

EPSS

Процентиль: 44%
0.00217
Низкий

7.1 High

CVSS3

CVE ID

CVE-2022-24743

Дефекты

CWE-613